Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329953 (CVE-2010-2480) - <dev-python/mako-0.3.4: XSS (CVE-2010-2480)
Summary: <dev-python/mako-0.3.4: XSS (CVE-2010-2480)
Status: RESOLVED FIXED
Alias: CVE-2010-2480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.makotemplates.org/CHANGES
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 329787
Blocks:
  Show dependency tree
 
Reported: 2010-07-26 15:58 UTC by Stefan Behte (RETIRED)
Modified: 2010-09-29 17:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:58:23 UTC 
CVE-2010-2480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2480):
  Mako before 0.3.4 relies on the cgi.escape function in the Python
  standard library for cross-site scripting (XSS) protection, which
  makes it easier for remote attackers to conduct XSS attacks via
  vectors involving single-quote characters and a JavaScript onLoad
  event handler for a BODY element.
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-26 16:03:21 UTC 
dev-python/mako-0.3.4 is already in the tree and is being stabilized in bug #329787.
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-29 17:05:08 UTC 
Vulnerable versions have been deleted.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 17:50:13 UTC 
XSS in webapp -> noglsa.